dealix
asked on
Delegation outside Active Directory Domain
Ok, I set up active directory delegation on my Intranet/Internet site, and enabled windows authentication.
From the intranet users go to the ASP page, and their identity/credentials are passed through to the SQL server.
(logging into the sql server with the users credentials is the critical part here, we have assigned sql level permissions on certain tables)
When users, at the office, go to our website http://nexus.dealix.com/integratedlogon.asp, everything works like a dream.
When home users go to the site, the same http://nexus.dealix.com/integratedlogon.asp site, it kicks up the challange authentication protocall thing, with the network logon popup (the gray popup window), and users have to log on.
We have windows authentication for the site, and have disabled the anonymous access.
Once they enter their info in the network popup, they get the ol'
"Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'."
So, the IIS server is authenticating people, otherwise they wouldnt even see that error message, they would just see some "page could not be displayed" thing.
However credentials are not passed to the sql server.
Is this Double hop?
Does it have something to do with the home users being outside of the domain?
If the credentials are good enough for IIS, why dont they go through to sql?
Thanks,
Dan
From the intranet users go to the ASP page, and their identity/credentials are passed through to the SQL server.
(logging into the sql server with the users credentials is the critical part here, we have assigned sql level permissions on certain tables)
When users, at the office, go to our website http://nexus.dealix.com/integratedlogon.asp, everything works like a dream.
When home users go to the site, the same http://nexus.dealix.com/integratedlogon.asp site, it kicks up the challange authentication protocall thing, with the network logon popup (the gray popup window), and users have to log on.
We have windows authentication for the site, and have disabled the anonymous access.
Once they enter their info in the network popup, they get the ol'
"Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'."
So, the IIS server is authenticating people, otherwise they wouldnt even see that error message, they would just see some "page could not be displayed" thing.
However credentials are not passed to the sql server.
Is this Double hop?
Does it have something to do with the home users being outside of the domain?
If the credentials are good enough for IIS, why dont they go through to sql?
Thanks,
Dan
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks folks,
I think (after much time & help) got the delegation part under control, now Im trying to figure out the best way to configure 2 sites, with 2 security schemes (one with integrated auth, the other with basic/SSL) in a seamless way.
Ideally everyone would go to the same site; nexus.dealix.com, and internal users would be sent to the Integrated Auth site,
and external users would be sent to the SSL/basic site... and both sites would run off the same ASP code.....
Any ideas on how to make this seamless?
( I posed a question on this at: https://www.experts-exchange.com/questions/21116001/Best-way-to-setting-up-two-sites-one-with-integrated-security-one-with-basic-authentication-from-the-same-code.html )
Thanks!
I think (after much time & help) got the delegation part under control, now Im trying to figure out the best way to configure 2 sites, with 2 security schemes (one with integrated auth, the other with basic/SSL) in a seamless way.
Ideally everyone would go to the same site; nexus.dealix.com, and internal users would be sent to the Integrated Auth site,
and external users would be sent to the SSL/basic site... and both sites would run off the same ASP code.....
Any ideas on how to make this seamless?
( I posed a question on this at: https://www.experts-exchange.com/questions/21116001/Best-way-to-setting-up-two-sites-one-with-integrated-security-one-with-basic-authentication-from-the-same-code.html )
Thanks!
> Any ideas on how to make this seamless?
I think you should simply be able to make another web application in IIS (but with a different authentication type and configured to use an SSL certificate of course) and point the web root to exactly the same directory as your existing web app.
The only code that I can think of that wouldn't work would be any server side detection of port number or protocol. And any hard-coded full URL paths (which you're not using anyway, right....??) would need to be changed.
I think you should simply be able to make another web application in IIS (but with a different authentication type and configured to use an SSL certificate of course) and point the web root to exactly the same directory as your existing web app.
The only code that I can think of that wouldn't work would be any server side detection of port number or protocol. And any hard-coded full URL paths (which you're not using anyway, right....??) would need to be changed.
Then, yes, as Dave Dietz has already pointed out this is dreaded double-hop/delegation issue.
Although I have no direct experience of this (and maybe DD can help here), Windows 2k/2k3 domains let you configure machines and users as "Trusted for Delegation". This allows authentication tickets to be passed between machines and was put in place to work around the double-hop problem. It's my (imperfect) understanding that you must configure both the machines and the user accounts
Configuring machines for delegation (Win 2k example)
http://support.microsoft.com/default.aspx?scid=kb;EN-US;283201
Configuring user accounts for delegation (Win 2k3 example)
http://www.kbalertz.com/kb_Q325894.aspx
Let me know how you get on (I'm curious because I've never had this problem - I built intranet systems like yours but I've always had IIS and SQL Server on a single machine).
And if this doesn't work then DD's suggestion of a second web app to use Basic Authentication would also work.